System and method of authenticating individuals

US 6,904,526 B1
Filed: 11/14/2000
Issued: 06/07/2005
Est. Priority Date: 04/28/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method of authenticating an individual from at least one individual in an authentication system, including at least one dynamic password generator and at least one verifier, said dynamic password generator holding therein a first secret cryptographic key and a first dynamic variable, said verifier holding therein a second secret cryptographic key of said dynamic password generator and a second dynamic variable, said first and second dynamic variables being produced independently in said dynamic password generator and said verifier;

said method comprising steps of;

(a) in the event of generating a dynamic password, performing following steps by a microprocessor in said dynamic password generator;

(a1) segmenting said first dynamic variable, based on a predefined segment length and positions, identifying a first segment initial value and a first offset for said first dynamic variable;

(a2) carrying out a first encryption process on said first secret cryptographic key, said first segment initial value and said first offset to produce a first dynamic cipher;

carrying out a second encryption process on said first secret cryptographic key and said first dynamic variable to produce a second dynamic cipher;

(a3) combining said first dynamic cipher and said second dynamic cipher to produce a dynamic password;

(b) transmitting said dynamic password to said verifier;

(c) in the event of verifying a password, performing following steps by a microprocessor in said verifier;

(c1) separating a received dynamic password into a third dynamic cipher and a fourth dynamic cipher;

based on a predefined segment length and positions, segmenting said second dynamic, variable to identify a second segment initial value and a second offset for said second dynamic variable; and

calculating at least one estimated segment initial value and an estimated range of offsets based on said second segment initial value and said second offset;

(c2) carrying out a third encryption process on said third dynamic cipher, an estimated segment initial value and said second secret cryptographic key to produce a third offset;

(c3) if said third offset is within the estimated range of offsets, restituting a third dynamic variable with said third offset and said estimated segment initial value;

carrying out a fourth encryption process on said second secret cryptographic key and said third dynamic variable to produce a verification code;

comparing said verification code with said fourth dynamic cipher;

if matching, enabling the user to access since the user is deemed legal and having the verification terminated;

if mismatching, or said third offset is not within the estimated range of offsets, judging whether there is another estimated segment initial value;

if there is no other estimated segment initial value, rejecting the user'"'"'s access and having the verification terminated since the user is deemed illegal; and

if there is another estimated segment initial value, fetching a next estimated segment initial value and going to step (c2).

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of dynamic password authentication used in an authentication system, in which a password generator applies a segmentation on its dynamic variable, according to predetermined segment length and positions, to produce a segment initial value and an offset for the dynamic variable. An encryption process applied on secret cryptographic key, segment initial value and offset results in the production of first dynamic cipher. Another encryption process applied on secret cryptographic key, dynamic variable etc results in the production of second dynamic cipher. Then first dynamic cipher and second dynamic cipher are combined to result in the production of a dynamic password. When a password undergoes verification executed by verifier, the verifier applies appropriate inverse processing. The present method can serve to enable the generator generated dynamic password to transmit synchronous information implicitly to verifier, which improves security in generation of a dynamic password and efficiency in password verification. Therefore reduction in costs of generator manufacture may be resulted.

161 Citations

24 Claims

1. A method of authenticating an individual from at least one individual in an authentication system, including at least one dynamic password generator and at least one verifier, said dynamic password generator holding therein a first secret cryptographic key and a first dynamic variable, said verifier holding therein a second secret cryptographic key of said dynamic password generator and a second dynamic variable, said first and second dynamic variables being produced independently in said dynamic password generator and said verifier;
- said method comprising steps of;
  
  (a) in the event of generating a dynamic password, performing following steps by a microprocessor in said dynamic password generator;
  
  (a1) segmenting said first dynamic variable, based on a predefined segment length and positions, identifying a first segment initial value and a first offset for said first dynamic variable;
  
  (a2) carrying out a first encryption process on said first secret cryptographic key, said first segment initial value and said first offset to produce a first dynamic cipher;
  
  carrying out a second encryption process on said first secret cryptographic key and said first dynamic variable to produce a second dynamic cipher;
  
  (a3) combining said first dynamic cipher and said second dynamic cipher to produce a dynamic password;
  
  (b) transmitting said dynamic password to said verifier;
  
  (c) in the event of verifying a password, performing following steps by a microprocessor in said verifier;
  
  (c1) separating a received dynamic password into a third dynamic cipher and a fourth dynamic cipher;
  
  based on a predefined segment length and positions, segmenting said second dynamic, variable to identify a second segment initial value and a second offset for said second dynamic variable; and
  
  calculating at least one estimated segment initial value and an estimated range of offsets based on said second segment initial value and said second offset;
  
  (c2) carrying out a third encryption process on said third dynamic cipher, an estimated segment initial value and said second secret cryptographic key to produce a third offset;
  
  (c3) if said third offset is within the estimated range of offsets, restituting a third dynamic variable with said third offset and said estimated segment initial value;
  
  carrying out a fourth encryption process on said second secret cryptographic key and said third dynamic variable to produce a verification code;
  
  comparing said verification code with said fourth dynamic cipher;
  
  if matching, enabling the user to access since the user is deemed legal and having the verification terminated;
  
  if mismatching, or said third offset is not within the estimated range of offsets, judging whether there is another estimated segment initial value;
  
  if there is no other estimated segment initial value, rejecting the user'"'"'s access and having the verification terminated since the user is deemed illegal; and
  
  if there is another estimated segment initial value, fetching a next estimated segment initial value and going to step (c2).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of authenticating an individual according to claim 1, characterized in thatin said step (a2), said second encryption process is carried out on said first secret cryptographic key, said first dynamic variable and said first segment initial value to produce said second dynamic cipher;
    - in said step (c3), said fourth encryption process is carried out on said second secret cryptographic key, said third dynamic variable and said estimated segment initial value to produce said verification code.
  - 3. The method of authenticating an individual according to claim 1, characterized in thatin said step (a2), said second encryption process is carried out on said first secret cryptographic key, said first dynamic variable, said first segment initial value and said first offset to produce said second dynamic cipher;
    - in said step (c3), said fourth encryption process is carried out on said second secret cryptographic key, said third dynamic variable, said estimated segment initial value and said third offset to produce said verification code.
  - 4. The method of authenticating an individual according to claim 1, characterized in thatin said step (a2), said first encryption process including a first encryption algorithm carried out on said first secret cryptographic key and said first segment initial value to produce a first dynamic cryptographic key, and a first dynamic transformation table generated with said first dynamic cryptographic key;
    - wherein said first offset is translated into said first dynamic cipher by said first dynamic transformation table;
      
      in said step (c2), said third encryption process including a third encryption algorithm carried out on said second secret cryptographic key and said estimated segment initial value to produce a third dynamic cryptographic key, and a second dynamic transformation table generated with said third dynamic cryptographic key;
      
      wherein said third dynamic cipher is translated into said third offset by said second dynamic transformation table.
  - 5. The method of authenticating an individual according to claim 4, characterized in thatin said step (a2) by which said first dynamic cipher is produced, said first dynamic cryptographic key is used to construct a first dynamic permutation table, and said first offset is replaced with said first dynamic cipher by this table;
    - in said step (c2) by which said third offset is produced, said third dynamic cryptographic key is used to construct a second dynamic permutation table, and said third dynamic cipher is replaced with said third offset by this table.
  - 6. The method of authenticating an individual according to claim 4, characterized in thatin said step (a2) by which first dynamic cipher is produced, said first dynamic cryptographic key is used to construct a first random code-group, and a random code in said first random code-group is addressed by said first offset as said first dynamic cipher;
    - in said step (c2) by which third offset is produced, said third dynamic cryptographic key is used to construct a second random code-group, and the address of a random code in said second random code-group that matches said third dynamic cipher is said third offset.
  - 7. The method of authenticating an individual according to claim 2, characterized in thatin said step (a2), said second encryption process including a first encryption algorithm carried out on said first secret cryptographic key and said first segment initial value to produce a second dynamic cryptographic key, and a second encryption algorithm carried out on said second dynamic cryptographic key and said first dynamic variable to produce said second dynamic cipher;
    - in said step (c3), said fourth encryption process including a third encryption algorithm carried out on said second secret cryptographic key and said estimated segment initial value to produce a fourth dynamic cryptographic key, and a fourth encryption algorithm carried out on said fourth dynamic cryptographic key and said third dynamic variable to produce said verification code.
  - 8. The method of authenticating an individual according to claim 3, characterized in thatin said step (a2), said second encryption process including a first encryption algorithm carried out on said first secret cryptographic key and said first segment initial value to produce a second dynamic cryptographic key, which is then combined with said first offset to produce a fifth dynamic cryptographic key, and a second encryption algorithm carried out on said fifth dynamic cryptographic key and said first dynamic variable to produce said second dynamic cipher;
    - in said step (c3), said fourth encryption process including a third encryption algorithm carried out on said second secret cryptographic key and said estimated segment initial value to produce a fourth dynamic cryptographic key, which is then combined with said third offset to produce a sixth dynamic cryptographic key, and a fourth encryption algorithm carried out on said sixth dynamic cryptographic key and said third dynamic variable to produce said verification code.
  - 9. The method of authenticating an individual according to claim 1, characterized in thatsaid dynamic password generator is initiated to generate a first verifier code, and that the verifier side has a second verifier code, and that on said dynamic password generator, said first encryption process is carried out on said first verifier code, said first secret cryptographic key, said first segment initial value and said first offset to produce said first dynamic cipher, and said second encryption process is carried out on said first secret cryptographic key, said first dynamic variable and said first verifier code to produce said second dynamic cipher, and that on said verifier, said third encryption process is carried out on said second verifier code, said second secret cryptographic key, said estimated segment initial value and said third dynamic cipher t6 produce said third offset, and said fourth encryption process is carried out on said second verifier code, said second secret cryptographic key, and said third dynamic variable to produce said verification code.
  - 11. The method of authenticating an individual according to claim 1, characterized in thatin said step (a1) and (c1), the method adopted for predefining a segment length and positions of said first and second dynamic variable uses said segment length to define the number of dynamic variables in a segment and the maximum offset, and uses said positions to define the starting point of a segment and segment initial values.
  - 12. The method of authenticating an individual according to claim 1, characterized in thatsaid first and second dynamic variables are defined respectively by the clocks of said dynamic password generator and said verifier, or defined by the number of times of passwords generated by said dynamic password generator.
  - 13. The method of authenticating an individual according to claim 12, characterized in thatif said first and second dynamic variables are defined by time, selecting said segment length greater enough than the maximum possible difference between the clocks of said dynamic password generator and said verifier during the effective time period of said dynamic password generator;
    - if said first and second dynamic variables are defined by the number of times of passwords generated by said dynamic password generator, selecting said segment length greater enough than the number of times of unverified passwords continuously generated by said dynamic password generator, which does not exceed the number permitted by said authentication system.
  - 14. The method of authenticating an individual according to claim 12, characterized in thatif said first and second dynamic variables are defined by time, said first and second dynamic variables should be time values or their function values of a predefined time unit having a fundamental duration interval;
    - if said first and second dynamic variables are defined by the number of times of passwords generated by said dynamic password generator, said first and second dynamic variables should be the values or their function values of the number of times of passwords generated by said dynamic password generator.
  - 15. The method of authenticating an individual according to claim 1, characterized in thatbefore carrying out of said first encryption process or said first encryption algorithm on said first segment initial value, a first coding is given to said first segment initial value, and before carrying out of said second encryption process or said second encryption algorithm on said first dynamic variable, a second coding is given to said first dynamic variable, and the ways of said first coding and said second coding are different;
    - before carrying out of said third encryption process or said third encryption algorithm on said estimated segment initial value, a third coding is given to said estimated segment initial value, and before carrying out of said fourth encryption process or said fourth encryption algorithm on said third dynamic variable, a fourth coding is given to said third dynamic variable, and the ways of said third coding and said fourth coding are different.
  - 16. The method of authenticating an individual according to claim 4, characterized in thatsaid first and second dynamic transformation tables generated by said first and third dynamic cryptographic keys is greater than said segment length.
  - 17. The method of authenticating an individual according to 1, characterized in thatif said segment length is no greater than 240, taking the length of said first and third dynamic ciphers as 8 bits.
  - 18. The method of authenticating an individual according to claim 11, characterized in thatthe selection of said segment length should enable said starting point of a segment defined daily to remain consistent, and the selection of said starting point of a segment should keep away from the position of comparatively frequent user utilization period of said dynamic password generator.
  - 19. The method of authenticating an individual according to claim 11, characterized in thataccording to predefined said segment length and said positions, said first dynamic variable is equal to the product of said first segment initial value and a specific value, plus said first offset;
    - and said second dynamic variable is equal to the product of said second segment initial value and a specific value, plus said second offset.
  - 20. The method of authenticating an individual according to claim 1, characterized in thatin said step (c3), if a match between said verification code and said fourth dynamic cipher is found, comparing said third dynamic variable with the third dynamic variable of last successful access, if the former quantity is found to be greater than the latter quantity, the user is judged as legal, access is thus enabled, and using said third dynamic variable to substitute the third dynamic variable of last successful access, storing in a database, and then verification procedure is terminated;
    - in cases where the former quantity is not greater than the latter quantity, the user is judged as illegal and access is rejected, and then verification procedure is terminated.
  - 21. The method of authenticating an individual according to claim 1, characterized in thatthe method of estimating segment initial values and the range of offsets is based on said second segment initial value and said second offset, selecting said second segment initial value and adjacent segment initial values in front of or behind said second segment initial value as said estimated segment initial values, selecting said second offset and adjacent offsets in front of and behind said second offset as said range of offsets;
    - and the number of selected estimated segment initial values can not be greater than two, and the number of offsets within said range of offsets can be greater than one.
  - 22. The method of authenticating an individual according to claim 1, characterized in thatif said first and second dynamic variables are defined by time, the method of estimating segment initial values and the range of offsets is based on said second segment initial value R and said second offset r, defining an enabled error range [c1, c2] by the difference between last third dynamic variable and said second dynamic variable, defining an deviation value diff by the difference between last third dynamic variable and last second dynamic variable, defining a small value b1=r+diff+c1, and a large value b2=r+diff+c2;
    - marking said maximum offset as max;
      
      when b2<
      
      0, said estimated segment initial value is the values R1 adjacent and in front of R, and said estimated range of offsets is [b1+max, b2+max];
      
      when b1<
      
      0<
      
      b2, one of said estimated segment initial values is the value R1 adjacent and in front of R, and said estimated range of offsets is [b1+max, max];
      
      another estimated segment initial value is the value R, and said estimated range of offsets is [0, b2];
      
      when b1>
      
      max, said estimated segment initial value is the value R2 adjacent and behind R, and said estimated range of offsets is [b1−
      
      max, b2−
      
      max];
      
      when b1<
      
      max<
      
      b2, one of said estimated segment initial values is the value R2 adjacent and behind R, and said estimated range of offsets is [0, b2−
      
      max];
      
      another estimated segment initial value is the value R, and said estimated range of offsets is [b1, max];
      
      when neither of b1 or b2 are smaller than 0 and both are not greater than max, said estimated segment initial value is the value R, and said estimated range of offsets is [b1, b2];
      
      if said first and second dynamic variables are defined by the number of times of passwords generated by the password generator, the method of estimating segment initial values and the range of offsets is based on accordance with said second segment initial value R and said second offset r, defining the number of times d by said authentication system, defining a small value b1=r, and a large value b2=r+d;
      
      marking said maximum offset as max;
      
      when b2>
      
      max, one of said estimated segment initial value is the value R2 adjacent and behind R, and said estimated range of offsets is [0, b2−
      
      max];
      
      another estimated segment initial value is the value R, and said estimated range of offsets is [b1, max];
      
      when b2 is not greater than max, said estimated segment initial value is the value R and said estimated range of offsets is [b1, b2].
  - 23. The method of authenticating an individual according to claim 1, characterized in thatif said first and second dynamic variables are defined by time, the method of estimating segment initial values and the range of offsets is based on accordance with said second segment initial value R and said second offset r, defining an enabled error range [c1, c2] by the difference between last third dynamic variable and said second dynamic variable, defining a deviation value diff by the difference between last third dynamic variable and last second dynamic variable, computing an average deviation diff/d1 in accordance with the number of time intervals d1 counted from first successful verification to last successful verification, estimating a deviation σ
    - =(diff/d1)×
      
      d2 in accordance with the number of time intervals d2 counted from last successful verification to present verification, and defining a small value b1=r+diff+a+c1 and a large value b2=r+diff+σ
      
      +c2;
      
      marking said maximum offset as max;
      
      when b2<
      
      0, said estimated segment initial value is the values R1 adjacent and in front of R, and said estimated range of offsets is [b1+max, b2+max];
      
      when b1<
      
      0<
      
      b2, one of said estimated segment initial values is the value R1 adjacent and in front of R, and said estimated range of offsets is [b1+max, max];
      
      another estimated segment initial value is the value R, and said estimated range of offsets is [0, b2];
      
      when b1>
      
      max, said estimated segment initial value is the value R2 adjacent and behind R, and said estimated range of offsets is [b1−
      
      max, b2−
      
      max];
      
      when b1<
      
      max<
      
      b2, one of said estimated segment initial values is the value R2 adjacent and behind R, and said estimated range of offsets is [0, b2−
      
      max];
      
      another estimated segment initial value is the value R, and said estimated range of offsets is [b1, max];
      
      when neither of b1 or b2 are smaller than 0 and both are not greater than max, said estimated segment initial value is the value R, and said estimated range of offsets is [b1, b2].

10. A method of authenticating an individual from at least one individual in an authentication system, including at least one dynamic password generator and at least one verifier, said dynamic password generator holding therein a first secret cryptographic key and a first dynamic variable, said verifier holding therein a second secret cryptographic key of said dynamic password generator and a second dynamic variable, said first and second dynamic variables being produced in concert but independently in said dynamic password generator and said verifier;
- said method comprising steps of;
  
  (a) in the event of generating a dynamic password, performing following steps by a microprocessor in said dynamic password generator;
  
  (a1) segmenting said first dynamic variable, based on a predefined segment length and positions, identifying a first segment initial value and a first offset for said first dynamic variable;
  
  (a2) carrying out a first encryption algorithm on said first secret cryptographic key and said first segment initial value to output a first dynamic cryptographic key and a second dynamic cryptographic key;
  
  generating a first dynamic transformation table based on said first dynamic cryptographic key;
  
  translating said first offset into a first dynamic cipher by said first dynamic transformation table;
  
  combining said second dynamic cryptographic key and said first offset to generate a fifth dynamic cryptographic key; and
  
  carrying out a second encryption algorithm on said fifth dynamic cryptographic key and said first dynamic variable to produce a second dynamic cipher;
  
  (a3) combining said first dynamic cipher and said second dynamic cipher to produce a dynamic password;
  
  (b) transmitting said dynamic password to said verifier;
  
  (c) in the event of verifying a password, performing following steps by a microprocessor in said verifier;
  
  (c1) separating a received dynamic password into a third dynamic cipher and a fourth dynamic cipher;
  
  segmenting said second dynamic variable, based on a predefined segment length and positions, identifying a second segment initial value and a second offset for said second dynamic variable; and
  
  calculating at least one estimated segment initial value and an estimated range of offsets based on said second segment initial value and said second offset;
  
  (c2) carrying out a third encryption algorithm on said second secret cryptographic key and an estimated segment initial value to output a third dynamic cryptographic key and a fourth dynamic cryptographic key;
  
  generating a second dynamic transformation table based on said third dynamic cryptographic key, and translating said third dynamic cipher into a third offset by said second dynamic transformation table;
  
  (c3) if said third offset is within the estimated range of offsets, restituting a third dynamic variable with said third offset and said estimated segment initial value;
  
  combining said fourth dynamic cryptographic key and said third offset to generate a sixth dynamic cryptographic key;
  
  carrying out a fourth encryption algorithm on said sixth dynamic cryptographic key and said third dynamic variable to produce a verification code;
  
  comparing said verification code with said fourth dynamic cipher;
  
  if matching, enabling the user to access since the user is deemed legal and having the verification terminated;
  
  if mismatching, or said third offset is not within the estimated range of offsets, judging whether there is another estimated segment initial value;
  
  if there is no another estimated segment initial value, rejecting the user'"'"'s access and having the verification terminated since the user is deemed illegal; and
  
  if there is another estimated segment initial value, fetching a next estimated segment initial value and going to step (c2).

24. A system of authenticating an individual from at least one individual in a computer network which includes at least one dynamic password generator and at least one verifier, said dynamic password generator holding therein a first secret cryptographic key and a first dynamic variable, said verifier holding therein a second secret cryptographic key of said dynamic password generator and a second dynamic variable, said first and second dynamic variables being produced independently in said dynamic password generator and said verifier;
- characterized in thatsaid dynamic password generator comprises;
  
  means for segmenting said first dynamic variable, based on a predefined segment length and positions, and identifying a first segment initial value and a first offset for said first dynamic variable;
  
  means for carrying out a first encryption process on said first secret cryptographic key, said first segment initial value and said first offset to produce a first dynamic cipher;
  
  means for carrying out a second encryption process on said first secret cryptographic key and said first dynamic variable to produce a second dynamic cipher;
  
  means for combining said first dynamic cipher and said second dynamic cipher to produce a dynamic password;
  
  and that said verifier comprises;
  
  means for separating a received dynamic password into a third dynamic cipher and a fourth dynamic cipher;
  
  means for segmenting said second dynamic variable to identify a second segment initial value and a second offset for said second dynamic variable based on a predefined segment length and positions;
  
  means for calculating at least one estimated segment initial value and an estimated range of offsets based on said second segment initial value and said second offset;
  
  means for carrying out a third encryption process on said third dynamic cipher, an estimated segment initial value and said second secret cryptographic key to produce a third offset;
  
  means for restituting a third dynamic variable with said third offset and said estimated segment initial value if said third offset is within the estimated range of offsets;
  
  means for carrying out a fourth encryption process on said second secret cryptographic key and said third dynamic variable to produce a verification code;
  
  means for comparing said verification code with said fourth dynamic cipher;
  
  means for enabling the user to access if matching;
  
  means for judging whether there is another estimated segment initial value, if mismatching, or said third offset is not within the estimated range of offsets;
  
  means for rejecting the user'"'"'s access and having the verification terminated if there is no other estimated segment initial value;
  
  means for fetching a next estimated segment initial value and giving control to said means for restituting a third dynamic variable if there is another estimated segment initial value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Yang Hongwei
Original Assignee
Yang Hongwei
Inventors
Hongwei, Yang
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
MASHAAL, ALI M

Application Number

US09/711,303
Time in Patent Office

1,666 Days
Field of Search

713/182, 713/183, 713/172
US Class Current

713/182
CPC Class Codes

G06F 21/31 User authentication

System and method of authenticating individuals

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

161 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of authenticating individuals

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

161 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links